on 12-08-2009 9:06 AM
Hello,
we succesfully enabled SSO using kerberos on 1 SAP instance.
We now try to enable SSO on a second SAP instance, which is on the same physical UNIX box.
SAPGUI error : "SAP system Message:"
Error in the Windows event log :
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 8:43:34.0000 12/8/2009 Z
Error Code: 0x1b Unknown Error
Extended Error:
Client Realm:
Client Name:
Server Realm: DOMAIN.COM
Server Name: user
Target Name: user @ DOMAIN.COM
Error Text:
File: 9
Line: efb
Error Data is in record data.
configuration :
p:SAPService/server1.domain.com @ DOMAIN.COM
p:SAPService/server2.domain.com @ DOMAIN.COM
(I had to add a space to @ otherwise I cannot post this message on the forum)
Is it a problem we used SAPService 2 times ?
Or should we use 2 different names here ?
For the rest we cannot think of another reason.
Thank you for your feedback
Hans
Is it a problem we used SAPService 2 times ?
Or should we use 2 different names here ?
If both SAPService's are using the same domain then I think it will be a problem using the same name, if the domain is different then it shouldn't matter.
If it's the same domain used for each SAP instance on the same Unix "box" then I have to ask why are you using two seperate SPN's ?
--
Nelis
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Nelis,
thank you for your feedback
yes, all machines are in the same domain.
We have 1 UNIX box which has a DNS name.
Each SAP instance also has a virtual DNS name.
So in fact each sap instance has a different hostname, therefore I assume we need to use
different SPN's no ?
or will the phyicial DNS name of the box be sufficient ?
thank you for your time
Hans
So in fact each sap instance has a different hostname, therefore I assume we need to use
different SPN's no ?
or will the phyicial DNS name of the box be sufficient ?
From what I remember you only require the physical DNS name of the actual Unix server.
So when you register the SPN you use something like:
setspn -A SAPService/<physical server full dns name> <DOMAIN>\<service user>
Then you export the key and import it into your Unix "box". You can then copy the generated key file to each application server and all instances on the same machine use the same SPN/key file(if it's the same domain). So all authentication will be seen to be coming from the same system.
--
Nelis
Hi Nelis,
this did the trick.
We ran the commands for the physical server id and this worked.
Next topic where I can use your help.
Normally users should be edited in SU01 to enter the SNC data.
This information is added to table USRACL
Do you have knowledge how we can automate this ?
(or how we can do this in bulk)
Thank you for your help
Hans
Hello Andy,
Please Refer the below link.
http://scn.sap.com/thread/3262668
Hope that would help you.
Let me know if you need more info.
Cheers,
Nick
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi hans
Please can you share information about configuration SSO for Unix System?
In my case We have ERP in AIX servers and we want to do SSO with AD (Windows), for aix, unix is there a special library for kerberos? or how is the configuration?
thanks
Andy
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Andy,
We have successfully configured the Single Sign on (SSO) on our Development and Quality systems using kerberos. These two systems are central systems(No application server attached it.). We have tested the functionality and is working fine.
@ all,
Now we have to configure the same setup in Production system where it has an application server which also works as fail-over node. How do I do here? Could someone of you confirm on the below points.
1) Do I need to Install the kerberos on both Central Instance and Dialogue Instance.?
2) Do I need to generated 2 separate keytabs in AD for CI and DI?
3) Do I have to set the SPN 2 times (CI & DI) for the same user id?
3) Do I need to maintain the SNC parameters in Instance profile of both CI and DI?
4) I have a logon group created and assigned to both CI and DI. In normal case the load balancing happens. What all the changes that I need to in saplogon.ini do if I have to have the same load balancing mechanism even after implementing SSO?
Please clarify them in detail. I would really much appreciate all your help.
Thanks,
Nick S
Hi Nick
Could you share the procedure that you follow in order to setp SSO between SAPGUI and Unix, please? I onlye set SSO for Java System and not for ABAP Unix systems
About your questions I guess that you have to set SSO in CI and DI, for example I configured SSO for Portal 7.3 (CI and DI) in AD I set the SPN service for each server, but there is no load balancing, yet.
So I guess it's the same for abap, you have to do it for each server.
Regards
Andy
Hello Hans,
I am glad to hear that it is possible - to create SSO using Kerberos for SAP on Unix.
I have a task - allow automatic logon to SAP (AIX, DB2) from Windows workstation. I am trying to find any documentation, but without result. I found little bit about situation - SAP on Windows server, but this didn't help.
May I ask you to send some info/docs about required steps to configure SSO with Kerberos? Where to find Kerberos library for AIX? What I need to install on workstations?
Thanks,
Ilgvars
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.